Launch your SOC or connect external?

While the regulars of IB forums are discussing the latest technologies in the Security Operations Center, by default, considering the center for monitoring and responding to cyber threats as a necessary part of the modern infrastructure, in the real world many continue to work without it. And this applies not only to small companies, but also to large organizations, because the larger the ecosystem of IT solutions, the more difficult it is to attach even a basic level of monitoring and responding to information security events.

Nevertheless, the need for an own response center is determined by the maturity of the customer … or by the sudden demands of the regulator, which immediately make everyone very mature. In order to quickly track information security incidents and respond to them, a certain infrastructure is needed, which includes ready-made solutions, processes, people, and computing power. And if a fundamental decision has already been made, it remains only to decide: whether to create SOC based on its resources or to receive the whole range of services in the form of a service.

Internal or external SOC?

Before starting the construction of an internal SOC, you need to understand how much it will cost, that is, conduct an audit of the infrastructure, choose technical solutions, and also solve budgeting issues, establish processes, and conduct staff training.

Choosing a contractor is also not easy. There are really experienced specialists in the market, as well as companies that successfully use the acronym SOC to solve their marketing problems. Therefore, even holding a competition, if the project is large enough, can be more than a year.

As a result, a typical SOC project on the customer side is extended for 2-3 years.

But let me … the audit results lose their value six months after it. And if the project is launched in a year, the audit, which spent both money and time, is useless. Conduct it again?

Today, it is de facto considered the norm if a company, which wanted to build an SOC 3 years ago, still works without it. It’s just that the proposals of the contractors are too expensive long-term construction – that’s stab and keep eating somehow drag already launched projects and suffer from incidents that are becoming known from posthumous analytics.

At the same time, the use of external expertise to detect IS threats is also associated with a number of concerns. Firstly, customers often assume that the external SOC immediately after connecting will flood them with their finished processes. And since the IS department is usually already very busy, the prospect of setting up data transfer from a dozen or two systems does not look very rosy.

Secondly, the problem arises of the “acquaintance” of the contractor with the customer’s infrastructure. At first glance, all this looks like the same audit that must be carried out before the project. And at this stage, many people have the question: “And what’s the difference, build your own or connect a service?” There is, of course, a difference – the further steps of connecting to an external SOC are much faster.

Finally, the customer himself does not always know what he has in the infrastructure, and he hardly recognizes it. Although in fact there is nothing strange here – after all, before the organization of SOC, inventory was clearly not the first priority.

Having analyzed all these obstacles, we found a way out in launching monitoring as a parallel process that does not violate the overall picture of the life of the customer company, but begins to gradually supplement it. Below are the main stages of such integration.

Business interview

First, we conduct a brief survey in the format of a business interview, during which the customer tells what the infrastructure looks like in his opinion. The interview includes a variety of questions, but here are a few key ones:

• How is the infrastructure as a whole, its volume, distribution
• Features of the network topology: in which segments of the network are productive systems, where is the data center, where is the DMZ, where are administrators, and where are ordinary users
• Key company policies for managing access, ongoing change, and naturally ensuring information security
• Which information systems are the most critical for the company’s activities (other than those that are obvious from our experience with a particular industry), where are they located
• Does the infrastructure use remote access (by administrators, users, contractors) and how is it organized, etc.

Basic scenario preparation

After the conversation, it becomes clear which systems can act as data sources, which of them need to be monitored first. There is also the opportunity to build an initial forecast and some RoadMap development of the SOC service.

Connecting the main components

Each company has a set of basic infrastructure systems. For example, almost everyone uses Active Directory, one of the antiviruses, firewalls, Internet access control (proxies), centralized inventory systems (SCCM) and so on. When a data stream arrives from these systems, we begin to see a certain set of events. And, although at this stage in the zone of our visibility there is far from a complete list of infrastructure elements, the collected data helps to supplement the information obtained during the business interview – to confirm or identify differences. For example, in an interview we are told that for remote access only the RDP protocol and the Remote Administrator program are used, but in practice it may turn out that administrators and users use a whole range of systems in their work.

Monitoring Profiling

Connecting new systems allows you to receive more and more data and begin to apply general rules (which are already formulated as best practice). But the main thing is that at this stage we can already accumulate statistics. It becomes clear how incident detection works in a productive way (but incident data is not yet sent to the customer).

Such profiling can last 1-2 months. We are studying who and what resources are accessing. We determine which traffic is considered legitimate and which is not. Interview data can also be used for profiling. But reality tends to deviate from accepted practices. For example, it is often found out that one or another administrator logs into critical databases directly from his workstation, and with root rights, instead of using a personal account and an intermediate terminal server for this. And that, despite the ban on using Remote Access Tools in the company, Help Desk, according to a later agreed service, still uses Team Viewer to work with remote points of sale or field employees. In such a situation, you need to be careful to actually start the incident detection process as soon as possible, but not to flood the customer’s IS service with hundreds of notifications for those events that formally do not comply with the IS policy, but in essence are an approved and working practice of the company’s life.

Adaptation to reality and launch

We really do not want the new service to cause a holivar inside the company. For example, it’s not good if, after the launch, the head of the IS service started running around the department with a saber and shouting “Traitors! You do the opposite! They told you! ” Therefore, we first study what we heard in words, then we find out what reality really is, and after that we make a decision – whether it is necessary to bring reality to the rules or, conversely, the rules to reality.

Monitoring scenarios can be run on the first line only after the processes on the customer side change and the actions of employees comply with the documented rules. Up to this point, working monitoring will allow the person in charge to figure out what exactly is happening in his infrastructure.

For example, the misuse of administrative accounts should lead to rules, because in the absence of control very often IT professionals neglect the need to create separate accounts for work and for administration. On the other hand, if IT department employees spontaneously opted for another means of remote access, and it is reliable enough – why not include it in the list of allowed ones and stop people from working?

Bonuses for customers

Starting a monitoring service based on an external SOC carries several bonuses. One of them is to increase the level of security without any additional costs. And this is not surprising – because if an information security expert spent a week on the client’s side (and this is inevitable during the initial mini-audit), he can give a whole set of recommendations for improving the settings of already installed security systems.

For example, one of the rather common recommendations is such a banality as “Check the box in the antivirus“ not only detect, but also delete ””. For many, this option is not enabled, and messages about the same viruses are copied and multiplied day by day. Getting started with an external SOC highlights the problem areas of security systems and allows you to understand where you just need to update the configuration.

Those companies in which the basic issues of information security are already settled receive other advantages. For example, those who want to build their own SOC can start with a monitoring service and build their processes like outsourcing. After several months of work, it becomes clear to them what kind of people to look for, what data to transfer to the SOC.

But the main plus is that the monitoring of IS incidents can be connected in 1-2 months. Of course, the time period can vary and increase depending on the features of the customer’s work: from a heavy load in the field of operations, staff vacations, attracting contractors and so on.

There is also a reduction in terms. Once we connected monitoring in 3 days. Yes, it was a titanic effort, but it was precisely the need and active will on the part of the customer that made it possible to build all the processes so quickly.

After the service is connected, the SIEM system gradually acquires data and statistics, the solution is scaled and new sources are connected. The main secret is not to try to do everything at once, but to approach the development of the system as to raising a puppy. First it’s “Sit”, “Lie”, and only then difficult tricks.

Build SOC yourself

A few practical tips for those who want to build their own SOC:

● Start building security around the most critical infrastructure elements.

● Get ready for the design work. A top-level assessment can be carried out quite quickly, but the construction of the SOC is stretched and more expensive precisely at the stage of the project.

● Clearly state your goals. Very often in the course of the interview, we cannot get an answer to the question of what the client wants to see on the way out, and what he understands by the acronym SOC in practice.

● Do not try to embrace the immense immediately. A detailed statement of work is good and right, but if due to the complexity of the project the time moves and the budget swells, no one will win.

● If you don’t understand how to build processes, start with an external monitoring service. This does not contradict the creation of your SOC, but helps to build processes and learn from practitioners in the field of information security.

Similar Posts

Leave a Reply Cancel reply